ICS-CERT: Sielco Sistemi Winlog Buffer Overflow Vulnerability

This advisory is a follow-up to the alerts titled “ICS-ALERT-12-166-01Sielco Sistemi Winlog Buffer Overflow” that was published June 14, 2012, and “ICS-ALERT-12-179-01 Sielco Sistemi Winlog Multiple Vulnerabilities” that was published June 27, 2012, on the ICS-CERT Web page.

Mr. Hollmann and Mr. Auriemma have tested the release to validate that it resolves the vulnerabilities. These vulnerabilities can be remotely exploited. Exploit code is publicly available for these vulnerabilities.

Successful exploitation of these vulnerabilities could lead to a program crash, information leakage, or arbitrary code execution.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

Sielco Sistemi is an Italy-based company that creates supervisory control and data acquisition (SCADA)/human-machine interface (HMI) software and hardware products. Winlog Lite SCADA is a demo version of the Winlog Pro SCADA/HMI system.

According to Sielco Sistemi, Winlog Pro SCADA is deployed across several sectors including manufacturing, public utilities, telecommunications, and others. Sielco Sistemi products are deployed mainly in Italy, Turkey, Canada, USA, Indonesia, and Spain.

VULNERABILITY OVERVIEW

FAILURE TO CONSTRAIN OPERATIONS WITH THE BOUNDS OF A MEMORY BUFFER: By sending malicious specially crafted packets to Port 46824/TCP, an attacker can overflow a memory buffer on the target system. Errors in RunTime.exe and TCPIPS_Story.dll can be exploited by these packets to cause the buffer overflow. The packets can also cause a boundary error in RunTime.exe causing the buffer overflow. This can allow the attacker to cause a denial-of-service condition leading to a crash or possible execution of arbitrary code. CVE-2012-3815 has been assigned to this vulnerability. A CVSS v2 base score of 9.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:C/I:C/A:C).

IMPROPER ACCESS CONTROL: Unauthorized users can access and read files on the system that Winlog is running by causing an input validation error. An attacker can send a malicious specially formed packet to Port 46824/TCP to allow unauthorized access to the system, which may lead to information leakage. CVE-2012-3815 has been assigned to this vulnerability. A CVSS v2 base score of 9.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:C/I:C/A:C).

IMPROPER ACCESS OF INDEXABLE RESOURCE: By sending malicious specially crafted packets that point outside of the defined array, an attacker can cause a crash of the system. By using 32-bit operation coding, a file pointer outside the array can be used to execute arbitrary code and cause a denial-of-service condition leading to a crash. CVE-2012-3815 has been assigned to this vulnerability. A CVSS v2 base score of 9.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:C/I:C/A:C).

WRITE-WHAT-WHERE CONDITION: By sending a malicious specifically formed packet, unauthorized attackers are able to write outside of the existing buffer allocation. The error when allocating when processing these malicious packets can be exploited to reference an invalid memory location. This exploit could cause a crash of the system. CVE-2012-3815 has been assigned to this vulnerability. A CVSS v2 base score of 9.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:C/I:C/A:C).

Some of the preceding vulnerability details were obtained from a Secunia Advisory SA49395.

EXPLOITABILITY: These vulnerabilities can be remotely exploited.

EXISTENCE OF EXPLOIT: Exploits that target this vulnerability are publicly available.

DIFFICULTY: An attacker with a low-skill level would be able to exploit these vulnerabilities.

MITIGATION

Sielco Sistemi has created an update to fix these vulnerabilities. This update, Winlog Pro SCADA and Winlog Lite SCADA Version 2.07.18, is available for customer download at the following location:

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.